Step 14. IIS Metabase
Security and other IIS configuration settings are maintained in the IIS metabase file. Harden the NTFS permissions on the IIS metabase (and the backup metabase file) to be sure that attackers cannot modify your IIS configuration in any way (for example, to disable authentication for a particular virtual directory.)
During this step, you:
-
Restrict access to the metabase using NTFS permissions .
-
Restrict banner information returned by IIS .
Restrict Access to the Metabase Using NTFS Permissions
Set the following NTFS permissions on the IIS metabase file (Metabase.bin) in the \WINNT\system32\inetsrv directory.
-
Local System: Full Control
-
Administrators: Full Control
Restrict Banner Information Returned by IIS
Banner information can reveal software versions and other information that may help an attacker. Banner information can reveal the software you run, allowing an attacker to exploit known software vulnerabilities.
When you retrieve a static page, for example, an .htm or a .gif file, a content location header is added to the response. By default, this content header references the IP address, and not the fully qualified domain name (FQDN). This means that your internal IP address is unwittingly exposed. For example, the following HTTP response header shows the IP address in bold font:
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http://10.1.1.1/Default.htm Date: Thu, 18 Feb 1999 14:03:52 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 06 Jan 1999 18:56:06 GMT ETag: "067d136a639be1:15b6" Content-Length: 4325
You can hide the content location returned in HTTP response headers by modifying a value in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead.
For more information about hiding the content location in HTTP responses, see Microsoft Knowledge Base article 218180, "Internet Information Server Returns IP Address in HTTP Header (Content-Location)."
EAN: 2147483647
Pages: 613